Introduction
How IPC Tackled ISO and CMMC-2.0
in Under a Year
Recently, IPC Foundry Group completed ISO 9001 certification and CMMC-Level 2 compliance, two major quality and security milestones, in less than a calendar year. You may remember our Joint Certification Program article from last Fall, when we were getting things moving.
Achieving this presented a unique challenge for our team: juggling day-to-day operations across our foundries while integrating rigorous new security and quality systems, all without skipping a beat. For many manufacturers, clearing just one of these compliances/certifications can take eighteen months or more. Completing both simultaneously in under twelve months required proactive communication, a culture of problem-solving, and the company-wide buy-in that sets IPC Foundry Groupapart.
In today’s article, we’ll touch on both of these standards, the maze of challenges we navigated along the way to compliance/certification, and how this accomplishment highlights IPC as a motivated, problem-solving partner ready to meet your production needs, no matter the scope.
Overview
So, What Are ISO 9001 and CMMC-2.0?
Before we get into our actual work, let’s quickly explain what CMMC and ISO are. They each focus on different parts of our business, but share a common goal: total reliability.
ISO 9001 (Quality System):
ISO 9001 is the international standard for Quality Management Systems (QMS). It is a meticulous framework that ensures every process, from our initial quote to the final pour, is documented, repeatable, and audited for constant improvement. For the customer, this eliminates the guesswork and randomness often found in manufacturing, guaranteeing that the 10,000th casting meets the exact same specifications as the first.
CMMC-Level 2 (Cybersecurity):
This is one of the Department of Defense’s gold standards for cybersecurity, requiring numerous security controls designed to protect Controlled Unclassified Information (CUI). One example of CUI would be technical drawings and 3D models of a fighter jet component.
While ISO applies to the manufacturing of the physical product, CMMC-Level 2 protects the data and intelligence behind it. For defense customers, this is a non-negotiable standard for any project involving sensitive data. While CMMC isn't required outside of the defense space, compliance here is a benefit to every customer, regardless of industry. If our systems are trusted to handle sensitive government data, you can count on us to protect your IP with that same level of care. Simply put, CMMC-2 Compliance makes IPC a safe bet for customers in any industry.
Part One:
ISO 9001: From Start to Finish in 4 Months
A major reason we were able to lock down ISO so quickly is that we already had quality systems in place in each of our foundries. After all, we’ve been doing this for 45 years! Don’t get us wrong, we still had a substantial amount of work to do, but we weren't starting from scratch. Most experts told us to expect a 6 to 12-month timeline, with 6 months being considered "aggressive." But because we focused on formalizing existing processes, such as tightening our supply chain documentation, we were able to achieve certification in just 4 months.
We don’t want to bore you with every detail from the wonderful world of QA/QC systems, but rather, focus on the intentionality and buy-in from our team that made it all happen. To do that, here’s an analogy:
Recently, I (this article’s writer) bought a vintage camera, a Mamiya C330. For those who aren’t familiar, the Mamiya is a twin-lens camera that shoots on 120 roll film, and it requires several manual steps to capture a photo (see image below). I’ve taken photos on all types of cameras, DSLRs, mirrorless cameras, and, of course, smartphones for years. While each of these takes some practice to produce a quality photo, shooting on film requires a deeper level of manual intentionality. For example, I can’t just check a digital viewfinder and delete a bad shot. Instead, I have to do the legwork ahead of time, such as using a light meter to set the exposure or carefully loading film instead of using an SD card; all of these extra steps are to ensure I get the results I want once the photos are developed.
Similarly, our team had experience with quality management and investment casting as a whole (much like shooting on an iPhone), but meeting ISO standards required a new level of manual intentionality (like our Mamiya film camera). This meant creating a unified quality system that balanced and respected the specific operational needs of both our Utah and Texas facilities.
Closing that gap in just four months required a team that looked for the best way to integrate these requirements into our existing workflow.
As our solutions engineer over the ISO rollout put it:
“I always made a point of explaining why I was making a change, but I also made a point of trying to solve the problem before it was a problem. If I read an ISO standard and thought, ‘I don't love that for how things happen on the floor,’ I’d look for a solution ahead of time. That way, I could present a fix that was as non-invasive as possible while still meeting the standard. It wasn't a compromise, it was finding a win-win in a place where there wasn't necessarily one to begin with.”
This 'win-win' mindset is how we crossed the finish line so quickly. By buying into the ISO standards, our team refined our years of casting experience into a documented, repeatable system. The result is a standard of quality that remains consistent across every project we take on.
The Beautiful Twin-Lens Mamiya C330.
CMMC-Level 2:
Navigating Alphabet Soup
Achieving CMMC-Level 2 required physical updates to our foundry in addition to the expected paperwork. For example, we installed perimeter gates, implemented new front-desk protocols, and made significant investments in our network and data transfer systems. You can read more about those physical changes in our article on JCP Compliance.
While we could write an entire book on every single step we took, we aren’t going to tax your patience with that here. To simplify with another analogy, CMMC-2 was like wading through a bowl of alphabet soup. We spent months living and breathing ITAR, JCP, and NIST while navigating a labyrinth of government websites and acronyms; legwork that our quality team claims was actually the most unexpected challenge of the entire experience.
For all you alphabet soup enthusiasts out there,
here is just a taste of that process:
SAM.gov – Managed our Unique Entity ID and CAGE Codes for our facilities. This is the entry point for all government contracting.
NIST SP 800-171 – This is where CMMC started. We implemented 110 separate security controls to ensure our data handling meets Department of Defense standards.
SPRS (Supplier Performance Risk System) – Calculated and uploaded our performance scores into the DoD’s central risk database.
PIEE (Procurement Integrated Enterprise Environment) – The primary platform for handling solicitations and government communication.
JCP (Joint Certification Program) – The most intense application in the process. This is the final step that grants us access to sensitive technical drawings.
ITAR & DDTC – Secured our standing with the Directorate of Defense Trade Controls to handle defense-related articles. Required before JCP.
Medium Assurance Certificates – Obtained physical hardware keys (IdenTrust) that act as encrypted "flash drives" required to communicate with the DoD.
DFARS – Aligned our entire procurement process with the Defense Federal Acquisition Regulation Supplement—the "laws" of defense purchasing.
GRC Platform – Think of this as “QuickBooks” for compliance. We invested in a digital Governance, Risk, and Compliance engine to track every shred of evidence and documentation.
And that’s not to mention:
DIBBS & NISTKS – The Internet Bid Board Systems for both the DLA and the Navy.
Cfolders – High-security database environment required to handle Controlled Unclassified Information (CUI).
ICON (Integrated Casting Order Network) – Integrated into the "one-stop shop" specifically designed for government casting contracts.
DSBS – Proactively built out our "Capability Narrative" and resume so government agencies can find our specific strengths.
Utah MEP / IMPACT Utah – Partnered with the Manufacturing Extension Partnership for a third-party "Gap Analysis" and education to ensure our practices were airtight.
C3PAO (Certified Third-Party Assessor Organization) a third party that performs the CMMC-level 2 audit. We opted for this to ensure our compliance isn't just self-attested, but externally verified.
And even more optional steps!
To put all of this into perspective, here are the average timelines for achieving CMMC compliance:
Industry Average: 12–24 months from the initial gap assessment to full compliance.
Realistic for most small manufacturers: 18–24 months.
Best case (for well-resourced, mature organizations): 9–12 months.
As with our ISO certification, achieving CMMC-2 compliance relied on a total team buy-in that allowed us to move much faster than the typical industry timeline. It was a massive undertaking that required both a significant financial investment in our infrastructure and a deep commitment of time from our team. While this didn't require the same 'all-hands-on-deck' approach as the ISO rollout on the foundry floor, navigating the labyrinth of acronyms and compliance processes in under 12 months was only possible because the team chose to lean in and make it happen.
Conclusion
So What?
Securing ISO and CMMC proves we can follow a set of rules & guidelines, but that’s only part of the story. Locking in these standards in under a year shows the caliber of the team and the culture of problem-solving you’ll find at IPC Foundry Group.
Cameron Knapp, Head of Sales at IPC, had this to say:
"It’s nice to know a vendor has the certifications, but there are plenty of ISO facilities out there. The bigger picture is that a company with the right people will go out of its way to make things happen. When a culture is visible through things like obtaining ISO, JCP, CMMC, and ITAR all in a single calendar year, trust is earned exponentially quicker."
We took on this challenge because we’re invested in our customers. Plus, we knew we could do it and wanted to flex a little bit!
By adding some of that “manual intentionality” to our quality systems and checking every single one of the acronyms of CMMC compliance off our list, we’ve cleared roadblocks for customers that haven’t even brought us a project yet. If we can lean on our team to accomplish a massive, streamlined task like this, imagine what we can do for your next project.
We asked a member of our quality team what this 12-month turnaround actually means for our customers, and we'd like to close with their response:
“ Looking from the outside in, my first question would be: 'Did they do it right?' But knowing what we did, the buy-in from our team, and having these certifications in hand, shows that IPC is a go-getter for other go-getters. If you want someone you can count on to get the job done right and get it done quickly, IPC is the foundry for you."
You’re a go-getter, and IPC is a production partner to match.
Ready to get Started? Contact Us Today!